Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[iMx]

Does anyone use a Billion 8800NL in half bridge? 

It seems that it opens port 8080 to the world, but it doesn't seem to be possible to stop it - remote access is disabled, half bridge disables the firewall by default, it is not the router behind the modem responding to port 8080 as a tcpdump shows any packets to 8080 are intercepted by the router itself.

Edit: Running    2.32e

[iMx]

Adding a manual firewall rule to block everything but my laptop to port 80 fixes it:

Code: [Select]

iptables -I INPUT -s ! x.x.x.x -p tcp --dport 80 -j DROP

[iMx]

Here's the culprit a redirect in the PREROUTING NAT table, so it will take any connection on port 8080 and redirect to the internal port 80:

Code: [Select]

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VS_X_PRE   all  --  0.0.0.0/0            0.0.0.0/0
VS_PRE     all  --  0.0.0.0/0            0.0.0.0/0
1to1_PRE   all  --  0.0.0.0/0            0.0.0.0/0
RMA_PRE    all  --  0.0.0.0/0            0.0.0.0/0
DMZ_PRE   !icmp --  0.0.0.0/0            0.0.0.0/0
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.2.254:80

[iMx]

And worryingly, it does the same for port 2323 to port 23 (telnet) on the external:

Code: [Select]

root@watchman:~# telnet x.x.x.x 2323
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
Broadband Router
Login:

Code: [Select]

   26  1352 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.2.254:80
    1    52 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2323 to:192.168.2.254:23
I hope anyone that uses half bridge has at least changed the default password....

[iMx]

Code: [Select]

# iptables -t nat -nL PREROUTING -v --line-numbers
Chain PREROUTING (policy ACCEPT 16961 packets, 1087K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     7022  471K VS_X_PRE   all  --  *      *       0.0.0.0/0            0.0.0.0/0
2     7022  471K VS_PRE     all  --  *      *       0.0.0.0/0            0.0.0.0/0
3     7022  471K 1to1_PRE   all  --  *      *       0.0.0.0/0            0.0.0.0/0
4     7022  471K RMA_PRE    all  --  *      *       0.0.0.0/0            0.0.0.0/0
5     1011 69485 DMZ_PRE   !icmp --  *      *       0.0.0.0/0            0.0.0.0/0
6       26  1352 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.2.254:80
7        1    52 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2323 to:192.168.2.254:23
8     4403  313K MWAN_PRE   all  --  *      *       0.0.0.0/0            0.0.0.0/0

# iptables -t nat -D PREROUTING 7
# iptables -t nat -D PREROUTING 6
Rules 7 and 6 need removing, 7 first, then 6, then saving/editing the default (anyone know how/where, before I hunt/google?).  This then stops external access.  Have to say, I've only had this device a week, other than a higher sync speed I'm not impressed by the various little niggles and bugs, this one tops it off.

EDIT: Oh, 'save' from the main CLI perhaps

[iMx]

Edit, came back after reboot... checking wrong router!  After a reboot:

Code: [Select]

# iptables -t nat -nL PREROUTING -v --line-numbers
Chain PREROUTING (policy ACCEPT 1107 packets, 79888 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 to:192.168.2.254:80
2        0     0 DNAT       tcp  --  ppp1.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2323 to:192.168.2.254:23
3     1065 76544 MWAN_PRE   all  --  *      *       0.0.0.0/0            0.0.0.0/0

[Chrysalis]

what is half bridge mode?

[skyeci]

As a modem connected to your own router I would assume.

[iMx]

Billion does the PPP session, hands the external IP to the router behind.

[Chrysalis]

what reason you doing that instead of full bridge?

[iMx]

what reason you doing that instead of full bridge?

I wanted to rule out something on the PPPoE side, then came across this.  But PPPoE is expensive, in terms of CPU, why not make use of the CPU there.

[Chrysalis]

ok

good idea to offload pppoe processing from main router.

[iMx]

Billion confirmed the bug and released 2.32e.d4

I haven't tested any other modes, i.e non-half-bridge, to see if remote access is still open, if you're using one of these might want to

[shadow4dog]

Thanks iMx. Really useful as I was looking at doing this.

Is the router still addressable on it's LAN address to see stats etc?

Thanks
Tim

[iMx]

Yup, I have both of mine graphing using 2 ports per router - 1 for WAN, 1 for management/stats.  I didn't check, but you might be able to do it with the one cable, i.e just the WAN.

I did check the Billion forum and they still seem to be listing the old version, unless it has been (hopefully) silently changed in the background.  I was curious and left an unpatched, half bridged, but null routed in a separate routing domain, 8800NL, with the default password..... just over 5 hours later it had had it's DNS servers changed......